# Configure OpenVPN server Here is a short guide on how to set up a VPN server on OpenWRT. * Need to create `/dev/net/tun` inside the container on boot: ``` # sed -i '$i\ mkdir -p /dev/net\ mknod /dev/net/tun c 10 200' /etc/rc.local ``` ## Add firewall rules We will be using `169.254.11.0/29` as our VPN subnet. * Allow port 1194 UDP from WAN: ``` # cat < ``` * Generate pre-shared key ``` # openvpn --genkey --secret ${EASYRSA_PKI}/tls.pem ``` * (Re-)initialize the PKI directory ``` # easyrsa --batch init-pki ``` * Generate DH parameters ``` # easyrsa --batch gen-dh ``` * Create a new CA ``` # easyrsa --batch build-ca nopass ``` * Generate a keypair and sign locally for a server ``` # easyrsa --batch build-server-full server nopass ``` * Generate a keypair and sign locally for a client ``` # easyrsa --batch build-client-full client nopass ``` Repeat the last step for any additional clients. ## Generate server configuration with UCI ``` # cat < client.ovpn client dev tun proto udp remote ${EASYRSA_REQ_CN} 1194 resolv-retry infinite user 999 group 999 nobind persist-key persist-tun tls-client remote-cert-tls server cipher AES-128-CBC comp-lzo $(cat ${EASYRSA_PKI}/tls.pem) $(openssl x509 -in $EASYRSA_PKI/ca.crt) $(openssl x509 -in $EASYRSA_PKI/issued/client.crt) $(cat $EASYRSA_PKI/private/client.key) EOF ``` Copy `client.ovpn` to your client and try to connect. --- ## Reference 1. https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic 1. https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4